Large Number of Apps Leaking Personal Info Through Ads

Kaspersky Lab’s security analysts have determined that the use of some third-party software development kits (SDKs) in mobile apps renders over 4 million applications insecure. Through these SDKs, personal information is leaked, including name, age, gender, email address, phone number, income, device information, location information, call history, and text messages.

Developers use these SDKs to embed advertisements in their apps. The piece of programming collects data in order to better serve targeted ads relevant to the user’s interests. Displaying advertisements is often how the developers can gain revenue and support in their free applications. However, it is on the app-makers to employ security measure to protect their users’ data.

At a panel during the RSA conference, Roman Unuchek, the security researcher at Kaspersky Lab, revealed their findings regarding this issue. Unuchek said that the lack of encryption when the app is transmitting data can lead to information being intercepted and used in a variety mal-intended ways, such as spying, blackmail, identity theft, malware infections, and others.

The Kaspersky researchers examined a number of dating applications and found that quite a few of them were sending out unencrypted data via HTTP. Even though 63% of mobile apps converted to using HTTPS at the start of this year, they were not completely secure either, Unuchek added. The used SDKs did not encrypt the collected user data before sending it out to servers.

Unuchek went on to explain that they looked at two widely used HTTP requests: POST and GET. User data in GET requests are generally included in the URL, however, with POST requests, the data is embedded in content fields. The researchers have drawn the conclusion that a lot of the examined apps exposed user data through both requests.

The researchers further pointed out that the interception of data works both ways: data arriving at the user’s device can be altered to display malignant advertisements instead of the original ones. If the user were to tap into these ads, they could be redirected to a malicious site, were further malware could be downloaded and installed.

Unfortunately, the examined apps have a large user base worldwide, having several million installations between them. Some of the domains pinpointed to serve ads and transmit unencrypted data are appsgeyser.com, mopub.com, nexage.com, rayjump.com, and tappas.net. The Kaspersky security researchers have not named the applications and advertisers in question.

In order to avoid the leaking and subsequent interception of personal data, all mobile app developers should switch to using HTTPS. In addition, they also need to encrypt and secure the data that the advertising SDK sends out, in order to protect information about their users. Meanwhile, end users can also employ some security measures, by carefully looking at the apps’ requested permissions, and also using a trusted VPN or internet proxies.